June 3, 2016

Malware Recovery: What to Do When Google Says You’ve Been Hacked

Categories: Blog
You are doing very well in your business, your website is always updated and you always have a good ranking when it comes to Google. However, one fine day all this comes down crashing. Your heart sinks down when one fine day you see that the traffic on your website has gone down considerably and there are multiple malware warnings from Google. You don’t know what happened and how it happened and before you start assuming let us tell you, it’s not the website fault or an error committed by any employee. If there are warning from Google about malware on your website it is not an error and cannot be taken lightly. It is possible that a hacker may have accessed your website, uploaded the malicious code and left. Yes, this may happen no matter however secure your website is.
If your site is hacked it is not a good sign for business as your ranking get affected considerably and also your visitors may get their computers infected. Well, this doesn’t sound good at all and this needs to be fixed on priority. But, before fixing any problem, you need to know the root of the problem. And you can get to the root only when you understand what actually has happened.

“Meaning of sight hack and the reasons for it‘s happening”

Before diving into any solution, you need to know what exactly is the problem and how did it happen. Today90% of the time a website is hacked for financial gain while the other 10% time it is done for fun. The hacker can be anyone; it can be your business competitor or an ex-employee with a grudge. It can also be a person who is just fooling around with you for his fun sake. Today if you go to see there is a huge increase in scareware. This scareware is that type of malware that tricks everyone into buying a software to cure the scareware. Majority of people think that the scareware is the real Microsoft virus scanner but in reality it is the real culprit. In other words the scanner is the malware acting as a scareware. If we were to give a real life example it’s like you have cough syrup for your cough to treat your coughing which you think is the original problem. But the syrup is made of chemicals which actually damages more of your health.So here in this example, when your hack signhealth deteriorates the cough syrup is the actual culprit and not your cough syrup. You cannot get fooled by a fake virus scanner just like you cannot get fooled by a harmful cough syrup.
Now coming back to your website malware, this can be done by a hacker if he is looking for some valuable information on internal networks or he could simply want to spread the malware to as many computers as possible with the sole purpose of extortion. When you want to understand what exactly a site hack is, trust us the answer is very simple. A person actually accessed and modified the code on your website without your permission. In most of the cases or let’s us say that in about 99% of the time a piece of JavaScript (JS) code has been added to each index.html/php page. Once the hacker gets an access to your website, he will inject the malicious JS code in all your files. Now this code can do lot of things like redirect the user to a different page (usually spam), redirect the website’s PageRank (via links) to the hacker’s site or client’s site or in the worst scenario, the JS code could trigger “drive by” downloading of the malware to infect the website’s visitors’ computers. Well this seems not just bad but worse for everyone – your business, your users or clients and even your staff.

“Determining the possible causes is important”

Now when you know what is a site hack and how does it happen, you need to determine the possible causes for this. No matter however safe you feel your computer is or however best security you have it’s better to face the truth that even top notch security cannot always protect you. Every coin has two sides and there is always a back door when it comes to all web elements. This is especially true when you using a common Content Management System (CMS) like WordPress, Joomla, SimpleCMS, Magento or other such open sources CMS. Remember, there is a strong possibility your site can be compromised with known SQL injections. Also, note this also that the most common access point for a website malware hack is not the website, but the computers on which it was developed and accessed. If you are very particular about your software then assuming that all of the software on your website is up to date, and all of your updates/patches are working fine, you will often see that the user computers that are infected. Now we need to understand how does this actually happen? A hacker first tries to hack your website but since it is secure he has to move out and he goes to a less secure site. The hacker accesses our website, accesses the website, installs malicious hackedscript to enable “drive-by” downloads (the ability for the script to auto-install and run malware).
A user, who is a webmaster or has access to his website visits the site. The JS auto loads and runs, then installs the malware copy on the visitor’s computers. Here you need to note that the visitor is a webmaster and once the webmaster visits the compromised computer, there are signs. He may see really funny thing like a quick flash on the screen or multiple hourglass icons when seemingly idle and also an increase in running tasks (on Windows) found in the task manager. Now this is sure that the visitor’s or our webmaster computer is affected, but you might be interested more in knowing how the malware makes it to the website. Well, we understand that it might be hard to believe but for a malware to reach your website is really very simple. Your visitor has no clue that the computer has been infected and he resumes working. But just as he is working or browsing the internet, the malware is also working on the background and scanning know directions for user login details. You might thik that the malware would be looking for banking or Paypal or Facebook but in truth it is actually looking for CoreFTP and FileZilla logins. You might not be aware that most common FTP programs store your passwords in PLAIN TEXT! Well this means that once the malware finds the common directories and locations of stored passwords, it just send all the to the hacker. It’s like a spy who has been sent to investigate and as soon as he gets all the information it is directly sent. Now, the hacker has access to your website, who will regenerate his malware and redistribute on your website.
Well this seems really a scary dream but it indeed is a scary truth. Now when you know the root problem and what has happened you need to fix it or rather say clean up the mess.

“Clean is the next step after determining the problem”

Cleaning or fixing the malware is a very difficult task. It is not only stressful but time-consuming task. We thoroughly advise you to go for professional help if you are not familiar with code and you don’t know what is supposed to “look right” on your website. Andif you are familiar and comfortable then here are some things that you should do.
The first step is cleaning. It’s like a thump rule. If anything is spoilt you need to first clean it. If there is a storm and soil has blown with the wind though the windows of your houses, you pick up a mop and start cleaning. Similarly when it comes to your system, you flush out the system clean of all viruses and malwares before fixing up anything. If you try to fix before cleaning up, there are chances for entire cycle to be repeated which will cost you dearly as you will be catching up. Now, here we have a comprised list orderly of what should be done.
  • Report the incident to your hosting provider and/or IT staff.
  • Scan all computers that have access to your website. ALL means all there can’t be any exceptions no matter what.
  • Run multiple scanning tools. We suggest Malware Bytes, SpyBot Search and Destroy, ComboFix and Microsoft Security Essentials.
  • Also remember to update your virus scanner before all scans.
  • Scan your startup directory. In Windows, go to Run>msconfig and scan each item.
  • Through your Registry Editor (Windows), scroll through each “Run” entries to look for suspicious items.
  • Change ALL passwords associated with your website, CMS admin sections, FTP, MySQL, control panels, without fail.
  • Download all of your files from your website (for review and analyzing the hacked code).
Now if you have back up for your website, it time to restore and if you do not have any, you could always ask the hosting company. But if you do not get the back up from there also there is no need to panic. There is a manual way to remove these links. It is definitely not challenging but extremely time consuming as there is a lot of searching. The most logical thing to do would be to download your entire FTP and simply sort the files by the date they were modified. Obviously, the compromised files would have been accessed last. Typically its mostly the index.php file that has been hit. When you scan the code, you want to look for weird encrypted JS on the very top or very bottom of the code and you will understand the issue immediately. Now if you plan to proceed with manual remove all you need to do is review and edit every file infected with the code. Simply removing the code from the file and re-uploading will cure the problem. However, you need to make sure to double check all files both by visually scanning, and then by sorting all of them by modified date — to ensure you captured all compromised files.
Well the big part is over but the problem is not solved yet. If your website is hit with malware, which mostly would be you need to review your Google/Bing Webmaster Tools to verify that you fixed any problems Google/Bing found. This can be simply done by sending a response to a notification or a reconsideration request. The best thing is that Google is very good at restoring rankings once a problem is fixed. So, you need to wait for just 7-14 days for the completion of the process. Remember this can happen with anyone and everyone. However, as the saying goes prevention is better than cure. One should always be prepared and try to prevent such situations.

“Prevention is always better than cure”

If your website encounters malware, it could cost you and your business as it would put your website offline for days if you’re lucky or else it can even go on for weeks. However, you can always be prepared or we better say prevent ourselves from becoming victims. If you run a CMS (such as Joomla or WordPress) on your website, some of the security measures that need to be taken care of are as follows:
  • Keep your CMS updated;
  • Always hide default login areas (such as /administrator or /wp-admin);
  • Change default user’s names (most CMSes have “admin” as the default login, so try to change this to something a bit more personalized and secure);
  • Ensure your hosting provider keeps their servers secure; and
  • Install and configure backup utilities.

If you have noticed there are multiple areas that need protection. But remember the malware attacks from one’s personal computer. So apart from keeping your website secure, you need to keep your personal computer secure, as do any co-workers or firms who have access to your website. Remember, everyone is responsible for keeping the website protected. Always one must ensure that all computers that are accessing your website via FTP are secure as well. Some basic steps that can be taken are as follows:
  • Keep up with OS updates and patches.
  • Keep all software updated and patched.
  • Regularly scan your computer with the aforementioned software – and keep in mind that your anti-virus software is useless if you do not keep it updated.
  • Do NOT save your passwords in your FTP programs.
  • If you have multiple FTP users, assign different rights for different uses. Avoid giving all users access to the entire FTP root.
admin